Authenticated Remote Command Execution (RCE) vulnerability found by NinTechNet in WordPress Secure File Manager plugin (versions <= 2.5).
The plugin has been removed from the wordpress.org plugin repository. We highly recommend deleting this plugin from your WordPress sites.
wordpress.org notice: "This plugin has been closed as of September 8, 2020 and is not available for download. Reason: Security Issue."
Type Arbitrary Code Execution OWASP Top 10 A1: Injection